Re: [lxc-devel] [PATCH 1/8] templates: require running as root

On Fri, Jul 19, 2013 at 02:26:48PM +, Serge Hallyn wrote: > From: Serge Hallyn > > Up to now lxc-create ensured that you were running as root. Now the > templates which require root need to do it for themselves. Templates > which do mknod definately require root. > > Signed-off-by: Serge H

Re: [lxc-devel] [PATCH 5/8] send current cgroup to lxc_cgroup_create()

On Fri, Jul 19, 2013 at 02:26:52PM +, Serge Hallyn wrote: > From: Serge Hallyn > > This is needed if we're going to have unprivileged users > create containers inside cgroups which they own. > > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/cgroup.c | 51

Re: [lxc-devel] [PATCH 3/8] container creation: support unpriv container creation in user namespaces

On Fri, Jul 19, 2013 at 02:26:50PM +, Serge Hallyn wrote: > From: Serge Hallyn > > 1. lxcapi_create: don't try to unshare and mount for dir backed containers > > It's unnecessary, and breaks unprivileged lxc-create (since unpriv users > cannot yet unshare(CLONE_NEWNS)). > > 2. api_create: c

Re: [lxc-devel] [PATCH 7/8] cgroup: don't set devices cgroup if not in init_user_ns

On Fri, Jul 19, 2013 at 02:26:54PM +, Serge Hallyn wrote: > From: Serge Hallyn > Hmm, I may be missing context with that diff, but where exactly is the code making this check userns-specific? > Signed-off-by: Serge Hallyn > --- > src/lxc/cgroup.c | 8 > 1 file changed, 8 insertio

Re: [lxc-devel] The containers mini-summit at Linux Plumbers 2013 is now accepting talk proposals

On Tue, Jul 16, 2013 at 10:26:12AM +0200, Thomas Dalichow wrote: > Hey guys, > > excuses for replying this way to Stéphane's mail, but I'm only subscribed to > GMANE RSS-Feed of this list. > > I'm referring to this mail: > >http://comments.gmane.org/gmane.linux.kernel.containers.lxc.devel/3

Re: [lxc-devel] [PATCH 2/8] lxc-create: support unpriv users

On Fri, Jul 19, 2013 at 02:26:49PM +, Serge Hallyn wrote: > From: Serge Hallyn > > Just make sure we are root if we are asked to deal with something other > than a directory, and make sure we have permission to create the > container in the given lxcpath. > > The templates will need much mor

Re: [lxc-devel] [RFC 0/8] Unprivileged container creation and use

On Fri, Jul 19, 2013 at 02:26:47PM +, Serge Hallyn wrote: > With this patchset, I am able to create and start an ubuntu-cloud > container completely as an unprivileged user, on an ubuntu saucy > host with the kernel from ppa:ubuntu-lxc/kernel and the nsexec > package from ppa:serge-hallyn/usern

Re: [lxc-devel] [PATCH 4/8] ubuntu-cloud: changes to support unprivileged use

On Fri, Jul 19, 2013 at 02:26:51PM +, Serge Hallyn wrote: > From: Serge Hallyn > > don't try to lock if using a specified tarball > > The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs > managed under /var/cache/lxc/cloud-$release. Don't lock if we've > been handed a tarball.

Re: [lxc-devel] [PATCH 6/8] A few changes for unprivileged lxc-start

On Fri, Jul 19, 2013 at 02:26:53PM +, Serge Hallyn wrote: > From: Serge Hallyn > > When doing reboot test, must add clone_newuser to clone flags, else > we can't clone(CLONE_NEWPID). > > If we don't have caps at lxc-start, don't refuse to start. Drop the > lxc_caps_check() function altogeth

Re: [lxc-devel] [PATCH 8/8] fix chowning of tty and console uids

On Fri, Jul 19, 2013 at 02:26:55PM +, Serge Hallyn wrote: > From: Serge Hallyn > > It needs to be done from the handler, not the container, since > the container may not have the rights. > > Signed-off-by: Serge Hallyn > --- > src/lxc/conf.c | 126 > +++